Ubuntu
apt package

Bug #1464801
Comment #3

Comment 3 for bug 1464801

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2015-06-13:

I believe all the files that were downloaded are genuine, too, though the demonstration is more roundabout than I would like:

sarnold@hunt:/tmp/apt/var/lib/apt/lists$ grep -f <(sha256sum * | awk '{print $1;}') archive.ubuntu.com_ubuntu_dists_precise-backports_Release | grep -v e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
b19dad0241496981159cc4bdd832f68863a16f5257057d4739fe390ad36f1dfa 21644 main/binary-i386/Packages
7b9cc62fd4281a5e336cd53e1d7265d3c9703f4c04e422dc5a9b263797741708 14665 main/i18n/Translation-en
42da384f83de934352906c6feed375e98f3a68ac6dc3af3852ae17925e9474c0 202 main/i18n/Index
5f2fe1e729f1ebec597f50781606a9666703c59f35b7a63905a799ddbf0719e9 19590 multiverse/binary-i386/Packages
04fe1beea9321f229d08d311cc5fe999a9972f2b35cf433be1acccddc8027c0c 13610 multiverse/i18n/Translation-en
88b3c3cbfda029d6be3a728c931f4a1647797b2dd77ade2924f4385fc9276a04 202 multiverse/i18n/Index
403da8f44040aa80cdb6b010de855a5b1c7cdd11cc200e375100f2653da4594b 193 restricted/i18n/Index
f2229eb5e57ae17f098850b348aa5ddc1d3bdf70a34278bc1b767ec7e06263e7 219987 universe/binary-i386/Packages
9e3b231b6660ed1d412163f5164b992a183696c83cba35e16852d68f6231eb19 138954 universe/i18n/Translation-en
8f06375c2c5028c4ea9d7f0fc6010757f7064496877f665c737fca2a35e189aa 205 universe/i18n/Index
sarnold@hunt:/tmp/apt/var/lib/apt/lists$ grep -f <(sha256sum * | awk '{print $1;}') archive.ubuntu.com_ubuntu_dists_precise-backports_Release | grep -v e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 | wc -l
10

sarnold@hunt:/tmp/apt/var/lib/apt/lists$ sha256sum * | grep -v archive.ubuntu.com_ubuntu_dists_precise-backports_Release | grep -v e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 | wc -l
10

sarnold@hunt:/tmp/apt/var/lib/apt/lists$ gpg *gpg
Detached signature.
Please enter name of data file: archive.ubuntu.com_ubuntu_dists_precise-backports_Release
gpg: Signature made Wed 10 Jun 2015 01:26:14 AM PDT using DSA key ID 437D05B5
gpg: Good signature from "Ubuntu Archive Automatic Signing Key <email address hidden>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6302 39CC 130E 1A7F D81A 27B1 4097 6EAF 437D 05B5

I believe all the files that were downloaded are genuine, too, though the demonstration is more roundabout than I would like:

sarnold@hunt:/tmp/apt/var/lib/apt/lists$ grep -f <(sha256sum * | awk '{print $1;}') archive.ubuntu.com_ubuntu_dists_precise-backports_Release | grep -v e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
 b19dad0241496981159cc4bdd832f68863a16f5257057d4739fe390ad36f1dfa            21644 main/binary-i386/Packages
 7b9cc62fd4281a5e336cd53e1d7265d3c9703f4c04e422dc5a9b263797741708            14665 main/i18n/Translation-en
 42da384f83de934352906c6feed375e98f3a68ac6dc3af3852ae17925e9474c0              202 main/i18n/Index
 5f2fe1e729f1ebec597f50781606a9666703c59f35b7a63905a799ddbf0719e9            19590 multiverse/binary-i386/Packages
 04fe1beea9321f229d08d311cc5fe999a9972f2b35cf433be1acccddc8027c0c            13610 multiverse/i18n/Translation-en
 88b3c3cbfda029d6be3a728c931f4a1647797b2dd77ade2924f4385fc9276a04              202 multiverse/i18n/Index
 403da8f44040aa80cdb6b010de855a5b1c7cdd11cc200e375100f2653da4594b              193 restricted/i18n/Index
 f2229eb5e57ae17f098850b348aa5ddc1d3bdf70a34278bc1b767ec7e06263e7           219987 universe/binary-i386/Packages
 9e3b231b6660ed1d412163f5164b992a183696c83cba35e16852d68f6231eb19           138954 universe/i18n/Translation-en
 8f06375c2c5028c4ea9d7f0fc6010757f7064496877f665c737fca2a35e189aa              205 universe/i18n/Index
sarnold@hunt:/tmp/apt/var/lib/apt/lists$ grep -f <(sha256sum * | awk '{print $1;}') archive.ubuntu.com_ubuntu_dists_precise-backports_Release | grep -v e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 | wc -l
10

sarnold@hunt:/tmp/apt/var/lib/apt/lists$ gpg *gpg
Detached signature.
Please enter name of data file: archive.ubuntu.com_ubuntu_dists_precise-backports_Release
gpg: Signature made Wed 10 Jun 2015 01:26:14 AM PDT using DSA key ID 437D05B5
gpg: Good signature from "Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6302 39CC 130E 1A7F D81A  27B1 4097 6EAF 437D 05B5

Ubuntuapt package

Comment 3 for bug 1464801

Ubuntu
apt package